Bug 22736 - php new security issue CVE-2018-7584
Summary: php new security issue CVE-2018-7584
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-11 14:46 CET by David Walser
Modified: 2018-03-14 17:22 CET (History)
3 users (show)

See Also:
Source RPM: php-5.6.33-1.mga6.src.rpm
CVE:
Status comment: Fixed upstream in 5.6.34


Attachments

Description David Walser 2018-03-11 14:46:22 CET
Upstream has released PHP 5.6.34 on March 1, fixing one security issue:
http://www.php.net/ChangeLog-5.php#5.6.34

Mageia 5 is also affected.
David Walser 2018-03-11 14:46:37 CET

Status comment: (none) => Fixed upstream in 5.6.34
Whiteboard: (none) => MGA5TOO

Comment 1 Marc Krämer 2018-03-11 23:37:53 CET
@David: please report php issues to the php-mailing list. I'm wondering why I missed this php update, but thanks.

CC: (none) => mageia

Marc Krämer 2018-03-11 23:37:59 CET

Assignee: bugsquad => mageia

Comment 2 David Walser 2018-03-11 23:39:20 CET
Marc, I report all security issues to Bugzilla.  Maintainers need to watch it or the bugsquad needs to assign the bugs to the right place.
Comment 3 Marc Krämer 2018-03-11 23:55:20 CET
Updated php-packages for mga5/6:

Suggested advisory:
========================

Updated php packages fix security vulnerability:
Update to php 5.6.34 fixes a stack-buffer-overflow while parsing HTTP response). (CVE-2018-7584)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584
http://www.php.net/ChangeLog-5.php#5.6.34
========================

Updated packages in core/updates_testing:
========================
php-ini-5.6.34-1.mga6
apache-mod_php-5.6.34-1.mga6
php-cli-5.6.34-1.mga6
php-cgi-5.6.34-1.mga6
libphp5_common5-5.6.34-1.mga6
php-devel-5.6.34-1.mga6
php-openssl-5.6.34-1.mga6
php-zlib-5.6.34-1.mga6
php-doc-5.6.34-1.mga6
php-bcmath-5.6.34-1.mga6
php-bz2-5.6.34-1.mga6
php-calendar-5.6.34-1.mga6
php-ctype-5.6.34-1.mga6
php-curl-5.6.34-1.mga6
php-dba-5.6.34-1.mga6
php-dom-5.6.34-1.mga6
php-enchant-5.6.34-1.mga6
php-exif-5.6.34-1.mga6
php-fileinfo-5.6.34-1.mga6
php-filter-5.6.34-1.mga6
php-ftp-5.6.34-1.mga6
php-gd-5.6.34-1.mga6
php-gettext-5.6.34-1.mga6
php-gmp-5.6.34-1.mga6
php-hash-5.6.34-1.mga6
php-iconv-5.6.34-1.mga6
php-imap-5.6.34-1.mga6
php-interbase-5.6.34-1.mga6
php-intl-5.6.34-1.mga6
php-json-5.6.34-1.mga6
php-ldap-5.6.34-1.mga6
php-mbstring-5.6.34-1.mga6
php-mcrypt-5.6.34-1.mga6
php-mssql-5.6.34-1.mga6
php-mysql-5.6.34-1.mga6
php-mysqli-5.6.34-1.mga6
php-mysqlnd-5.6.34-1.mga6
php-odbc-5.6.34-1.mga6
php-opcache-5.6.34-1.mga6
php-pcntl-5.6.34-1.mga6
php-pdo-5.6.34-1.mga6
php-pdo_dblib-5.6.34-1.mga6
php-pdo_firebird-5.6.34-1.mga6
php-pdo_mysql-5.6.34-1.mga6
php-pdo_odbc-5.6.34-1.mga6
php-pdo_pgsql-5.6.34-1.mga6
php-pdo_sqlite-5.6.34-1.mga6
php-pgsql-5.6.34-1.mga6
php-phar-5.6.34-1.mga6
php-posix-5.6.34-1.mga6
php-readline-5.6.34-1.mga6
php-recode-5.6.34-1.mga6
php-session-5.6.34-1.mga6
php-shmop-5.6.34-1.mga6
php-snmp-5.6.34-1.mga6
php-soap-5.6.34-1.mga6
php-sockets-5.6.34-1.mga6
php-sqlite3-5.6.34-1.mga6
php-sybase_ct-5.6.34-1.mga6
php-sysvmsg-5.6.34-1.mga6
php-sysvsem-5.6.34-1.mga6
php-sysvshm-5.6.34-1.mga6
php-tidy-5.6.34-1.mga6
php-tokenizer-5.6.34-1.mga6
php-xml-5.6.34-1.mga6
php-xmlreader-5.6.34-1.mga6
php-xmlrpc-5.6.34-1.mga6
php-xmlwriter-5.6.34-1.mga6
php-xsl-5.6.34-1.mga6
php-wddx-5.6.34-1.mga6
php-zip-5.6.34-1.mga6
php-fpm-5.6.34-1.mga6
phpdbg-5.6.34-1.mga6
php-debuginfo-5.6.34-1.mga6

Source RPMs: 
php-5.6.34-1.mga5.src.rpm
php-5.6.34-1.mga6.src.rpm
Marc Krämer 2018-03-11 23:55:30 CET

Assignee: mageia => qa-bugs

Comment 4 PC LX 2018-03-12 12:09:02 CET
Installed and tested without issues.

Tests included using a variety of large and small script (e.g. wordpress, drupal, custom scripts) that make extensive use of PHP and PHP extensions. Several of the custom scripts have test units that completed successfully.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php | sort
apache-mod_php-5.6.34-1.mga6
lib64php5_common5-5.6.34-1.mga6
php-cli-5.6.34-1.mga6
php-ctype-5.6.34-1.mga6
php-curl-5.6.34-1.mga6
php-dom-5.6.34-1.mga6
php-filter-5.6.34-1.mga6
php-ftp-5.6.34-1.mga6
php-gd-5.6.34-1.mga6
php-gettext-5.6.34-1.mga6
php-hash-5.6.34-1.mga6
php-ini-5.6.34-1.mga6
php-intl-5.6.34-1.mga6
php-json-5.6.34-1.mga6
php-mbstring-5.6.34-1.mga6
php-memcached-2.2.0-2.mga6
php-mysqli-5.6.34-1.mga6
php-mysqlnd-5.6.34-1.mga6
php-openssl-5.6.34-1.mga6
php-pdo-5.6.34-1.mga6
php-pdo_mysql-5.6.34-1.mga6
php-pdo_pgsql-5.6.34-1.mga6
php-pdo_sqlite-5.6.34-1.mga6
php-phpmailer-5.2.24-1.1.mga6
php-posix-5.6.34-1.mga6
php-session-5.6.34-1.mga6
php-suhosin-0.9.38-1.mga6
php-sysvsem-5.6.34-1.mga6
php-sysvshm-5.6.34-1.mga6
php-timezonedb-2017.2-1.mga6
php-tokenizer-5.6.34-1.mga6
php-xdebug-2.4.0-1.mga6
php-xml-5.6.34-1.mga6
php-xmlreader-5.6.34-1.mga6
php-xmlwriter-5.6.34-1.mga6
php-zlib-5.6.34-1.mga6

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
CC: (none) => mageia

Comment 5 David Walser 2018-03-12 12:45:09 CET
Thanks Marc.  Tested fine on Mageia 5 x86_64 with my normal battery of tests.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 6 claire robinson 2018-03-14 15:01:32 CET
Advisory uploaded. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-14 17:22:15 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0167.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.